As Data Privacy Day approaches this week, new research conducted by ISACA reveals critical skills gaps and insufficient training. The survey report, Privacy in Practice 2021: Data Privacy Trends, Forecasts and Challenges, also explores past and future trends in privacy, offering insights into privacy workforce and skills, the use of privacy by design, and the organizational structure and composition of privacy teams.
Privacy by Design
The Privacy in Practice 2021 survey findings—gathered in Q3 2020 from 1,873 professionals who work in data privacy or have knowledge of their organizations’ data privacy functions—show some positive trends for those enterprises who report they always use privacy by design. Seventy-seven percent of those respondents believe that their boards of directors prioritize privacy (compared with 52% of all respondents). They are also less likely to view privacy programs as driven solely by compliance (22% vs. 34% total) and more likely to be driven by a combination of compliance and ethics (62% vs. 52% total). In addition, they are more likely to report that their enterprise privacy strategy aligns with organizational objectives (90% vs. 69% total).
However, though enterprises consistently using privacy by design are nearly two-and-a-half times more likely to be completely confident in the ability of their privacy team to ensure data privacy and achieve compliance with new privacy laws and regulations (24% vs. 10% total), there was not a meaningful difference in the number of privacy breaches experiences in the last 12 months. Approximately 10% of both groups reported breaches—a number that ISACA experts feel is potentially underreported.
“Privacy is not a one-time, check the box activity,” says Matt Stamper, CISA, CISM, CDPSE, CRISC, Chief Information Security Officer and Executive Advisor at EVOTEK. “The findings around data breaches illustrate that while privacy by design can bring great value to enterprises, it does not make them any less susceptible to privacy breaches, and privacy practitioners need to keep up their guard.”
In addition to breaches, respondents identified other areas as common privacy failures, including:
- Lack of training or poor training (64%)
- Failure to perform a risk analysis (53%)
- Bad or nonexistent detection of personal information (50%)
Survey respondents noted that the most helpful methods in overcoming these obstacles are using a privacy principles framework, experience-based credentials and privacy training. Additionally, they report using privacy controls including encryption (77%), identity and access management (76%), and data security (71%).
In privacy workforce trends, respondents indicated that they foresee more of an increased demand for technical privacy roles compared to legal/compliance roles (70% increase vs. 59% increase). However, they see more challenges in staffing technical privacy teams compared to legal/compliance teams; technical privacy roles were more likely to be considered understaffed (46% compared to 33%).
Nevertheless, hiring managers have been finding ways to fill these roles by training other employees—47% noted that they have been training non-privacy staff who are interested in moving into privacy roles. 92% of respondents indicated that they have privacy staff who started their career in IT or security and moved into privacy and compliance.
“It is clear that organizations will continue needing a strong privacy workforce in the years ahead to leverage data responsibly and ensure regulatory compliance,” says Nader Qaimari, ISACA chief product officer. “As non-privacy professionals increasingly get opportunities to train for this career path and gain technical skills, it not only eases the privacy skills gap but enriches this workforce.”
Highlights from the Privacy in Practice 2021 survey will be discussed in the complimentary webinar, “Exploring Privacy Trends, Challenges & Predictions,” on 28 January 2021 at 12:00 PM (EST) / 11:00 AM (CST) / 9:00 AM (PST) / 5:00 PM (UTC). For more information or to register, visit www.isaca.org/education/online-events/lms_w012821.
To access the Privacy in Practice 2021 survey report and related guidance, visit www.isaca.org/privacy-in-practice-2021. Additional information on ISACA’s privacy resources, including the Certified Data Privacy Solutions Engineer™ (CDPSE™) certification, is available at www.isaca.org/cdpse. Professionals who interact with privacy issues can also join ISACA’s Privacy group on Engage to discuss the topic and share best practices.